When a CISO presents the board with a security testing plan, two terms come up almost immediately: penetration testing and vulnerability assessment. The two are often used interchangeably — sometimes bundled under the acronym VAPT — but they are fundamentally different exercises with different goals, outputs, and price tags.
Getting this wrong is expensive. Companies that run vulnerability scans when they need a pentest end up with a false sense of security. Companies that commission full red-team exercises when a focused scan would do overpay for coverage they don’t need. This guide gives you the clarity to make the right call.
What Is a Vulnerability Assessment?
A vulnerability assessment (VA) is a systematic, automated process of identifying known security weaknesses across your systems. The goal is to produce a comprehensive inventory of vulnerabilities — misconfigurations, outdated software, missing patches, weak credentials — ranked by severity.
How It Works
A VA engagement typically involves:
- Scope definition — which IP ranges, domains, and systems are in scope
- Discovery scanning — enumerating live hosts, open ports, running services
- Vulnerability scanning — running tools like Nessus, Qualys, or OpenVAS against discovered services
- Risk ranking — vulnerabilities scored using CVSS (Common Vulnerability Scoring System)
- Report generation — a findings report with severity ratings and remediation guidance
The process is largely automated. A skilled analyst reviews the output to eliminate false positives and add context, but the heavy lifting is done by scanners.
What You Get
- A list of every known CVE affecting your environment
- CVSS scores and severity classifications (Critical / High / Medium / Low / Informational)
- Remediation recommendations for each finding
- A benchmark you can re-run after patching to confirm fixes
What You Don’t Get
- Proof that vulnerabilities are actually exploitable in your environment
- Business impact of a successful attack
- Attack chains that combine multiple low-severity issues into a critical breach
- Any assessment of your detection and response capabilities
What Is a Penetration Test?
A penetration test is a simulated, goal-driven attack performed by skilled security professionals. The tester takes on the role of an adversary and attempts to breach defined targets using the same techniques a real attacker would use — within an agreed scope and timeline.
How It Works
A pentest engagement typically follows a structured methodology:
- Scoping and rules of engagement — what systems are in scope, what techniques are permitted, what constitutes a “win”
- Reconnaissance — passive and active information gathering (OSINT, DNS enumeration, fingerprinting)
- Exploitation — actively attempting to exploit discovered vulnerabilities
- Post-exploitation — lateral movement, privilege escalation, data exfiltration simulation
- Reporting — detailed technical findings with proof-of-concept, business impact, and remediation steps
The process requires human expertise. Automated tools are used as aids, but the real value is in the tester’s ability to chain vulnerabilities, understand business context, and think like an attacker.
What You Get
- Confirmed exploitable vulnerabilities with proof-of-concept evidence
- Attack narratives showing how an adversary would move through your environment
- Business impact analysis — what data could be accessed, what systems could be disrupted
- Assessment of your detection capabilities (did your SOC catch the tester?)
- Prioritised remediation roadmap based on actual exploitability
What You Don’t Get
- Exhaustive coverage of every CVE in your environment (a pentest focuses on what matters, not everything)
- An automated, repeatable scan you can run monthly
Key Differences at a Glance
| Dimension | Vulnerability Assessment | Penetration Test |
|---|---|---|
| Goal | Identify known weaknesses | Simulate a real attack |
| Method | Automated scanning + analyst review | Manual, goal-driven attack simulation |
| Depth | Broad coverage, shallow depth | Narrow focus, deep exploitation |
| Exploitability | Not confirmed | Actively confirmed |
| Business impact | Estimated via CVSS | Demonstrated with evidence |
| Skill required | Analyst-level | Senior security engineer / ethical hacker |
| Duration | Days | 1–4 weeks typically |
| Cost | Lower | Higher |
| Frequency | Monthly / quarterly | Annually or after major changes |
| Output | Vulnerability list + CVSS scores | Attack narrative + exploitation evidence |
VAPT: The Combined Approach
Most security testing engagements are actually VAPT — Vulnerability Assessment and Penetration Testing — a combination of both approaches. The VA identifies the attack surface, and the pentest validates exploitability and demonstrates business impact.
This is the most common commercial offering and is typically what regulators and compliance frameworks (PCI DSS, ISO 27001, SOC 2) are asking for when they require “penetration testing.”
When Do You Need a Vulnerability Assessment?
Our vulnerability management service provides the continuous scanning layer, while a penetration test validates exploitability and business impact.
Run a VA when you need:
- Continuous hygiene — monthly or quarterly scans to catch new CVEs and patch gaps
- Pre-pentest baselining — clean up the obvious before a tester spends expensive hours on low-hanging fruit
- Post-patch validation — confirm that a remediated vulnerability is actually fixed
- Compliance evidence — some frameworks accept periodic scans as evidence of due diligence
- Large, dynamic environments — cloud infrastructure that changes weekly benefits from automated, continuous scanning
When Do You Need a Penetration Test?
Commission a pentest when:
- Compliance requires it — PCI DSS, ISO 27001, SOC 2, and most enterprise customer contracts explicitly require periodic penetration testing
- You’re launching a new product or service — test before you expose it to real users
- You’ve made significant infrastructure changes — cloud migration, new application deployment, network re-architecture
- You want to test your defences — can your SOC detect an attacker? A pentest tells you
- You’re in a high-risk industry — financial services, healthcare, critical infrastructure, fintech — where a breach has catastrophic consequences
- After an incident — understand how attackers got in and whether they could do it again
Choosing the Right Pentest Type
Once you’ve decided you need a pentest, the next question is what type:
By Knowledge Level
| Type | Description | Best For |
|---|---|---|
| Black Box | Tester has no prior knowledge — simulates an external attacker | External attack simulation |
| Grey Box | Tester has partial knowledge (credentials, architecture docs) | Most web app and cloud assessments |
| White Box | Tester has full access (source code, architecture, credentials) | Code security review, DevSecOps integration |
By Scope
- Network penetration testing — internal and external network infrastructure
- Web application penetration testing — web apps, APIs, admin portals
- Mobile application penetration testing — iOS and Android apps
- Cloud security assessment — AWS, Azure, GCP configuration review and exploitation
- Social engineering — phishing simulations, vishing, physical access
- Red team exercise — full-scope, multi-vector attack simulation over weeks or months
What the Report Should Include
Whether it’s a VA or pentest, the final report is what you pay for. A quality report includes:
Executive Summary
- Non-technical overview for the board and C-suite
- Overall risk posture (Critical / High / Medium / Low)
- Key findings narrative
Technical Findings
- Each vulnerability with: title, severity, affected asset, description, proof-of-concept evidence, business impact, remediation steps
- CVSS scores with environmental context
Attack Narrative (pentest only)
- Step-by-step account of how the tester moved through the environment
- Lateral movement paths, privilege escalation routes, data accessed
Remediation Roadmap
- Prioritised action plan, not just a list
- Quick wins vs. long-term architectural changes
Compliance Requirements: What Do They Actually Ask For?
| Framework | Requirement |
|---|---|
| PCI DSS v4.0 | Annual pentest + quarterly vulnerability scans |
| ISO 27001:2022 | Periodic security assessments (pentest implied in Annex A.8.8) |
| SOC 2 | Periodic penetration testing (frequency at auditor discretion, typically annual) |
| DORA (EU) | Threat-led penetration testing (TLPT) for financial entities |
| SAMA (Saudi Arabia) | Annual VAPT for financial sector |
| RBI (India) | Quarterly VAPT for banking and NBFC |
If your customers or prospects are enterprise, they will ask for your most recent pentest report in security questionnaires. Having one on hand accelerates deals.
Cost Expectations
Costs vary significantly by scope, geography, and provider quality.
| Engagement Type | Typical Range (USD) |
|---|---|
| Vulnerability Assessment (small-medium environment) | $2,000 – $8,000 |
| Web Application Pentest | $5,000 – $20,000 |
| Network Pentest (external + internal) | $8,000 – $25,000 |
| Cloud Security Assessment | $8,000 – $30,000 |
| Red Team Exercise | $25,000 – $100,000+ |
Offshore providers (India, Eastern Europe) typically deliver comparable quality at 40–60% lower cost than US/UK firms. The key is to evaluate methodology, certifications (OSCP, CREST, CEH), and report quality — not just price.
The Bottom Line
Vulnerability assessment tells you what’s broken. Penetration testing tells you what’s exploitable and what it means for your business.
For most organisations, the right programme combines both: automated VA scanning runs continuously, and a scoped pentest validates the risk and satisfies compliance requirements once or twice a year. As your security maturity grows, you layer in red team exercises to test your detection and response capabilities.
The worst outcome is choosing neither because the distinction seems confusing. A single undetected vulnerability in an internet-facing application can lead to a breach that costs orders of magnitude more than any testing engagement.
CyberneticsPlus is a CREST-accredited and certified penetration testing firm based in Bengaluru. We also provide ongoing vulnerability management to keep your environment continuously assessed between point-in-time tests. We conduct web application, network, cloud, and mobile pentests for clients across financial services, SaaS, healthcare, and enterprise. Get in touch to scope your next engagement.
Understanding Remediation After Testing
Once you have results from either a vulnerability assessment or a penetration test, the real work begins. Many organisations treat the report as the endpoint — they receive it, file it, and use it to satisfy compliance requirements. This is the wrong approach. The report is the starting point for a systematic remediation programme.
Building a Remediation Workflow
A structured remediation workflow ensures findings don’t languish:
Step 1: Triage and validation Not every finding in a vulnerability assessment report is accurate. Automated scanners produce false positives — especially for complex configurations. Before assigning remediation work, validate the finding. This is particularly important for medium and low-severity issues that could generate hundreds of tickets.
For penetration test findings, the report should already include exploitation evidence — but still validate that the finding applies to your production environment, not just the test environment.
Step 2: Risk scoring and prioritisation Apply a risk-based prioritisation framework (see our guide on risk-based vulnerability management) rather than pure CVSS scoring. Key factors:
- Is the vulnerability currently being exploited in the wild (check CISA KEV)?
- Is the affected asset internet-facing?
- What is the business impact of compromise?
- Does a working exploit exist publicly?
Step 3: Ownership assignment Every finding needs an owner — a specific engineer or team responsible for remediation. Unassigned findings rarely get fixed. Use your issue tracker (JIRA, Linear, GitHub Issues) to create a ticket per finding, assigned to the relevant engineering team.
Step 4: SLA-based deadlines Define remediation SLAs by risk tier:
| Risk Level | Remediation SLA |
|---|---|
| Critical (active exploitation) | 24–72 hours |
| High | 14 days |
| Medium | 30 days |
| Low | 90 days |
| Informational | Next release cycle |
Step 5: Verification After remediation, verify the fix. For vulnerability assessments, re-run the scanner on the affected component. For penetration test findings, schedule a retest — most professional pentest firms include a free retest for critical and high findings.
Advanced Testing Approaches: Red Team vs Purple Team
Beyond standard penetration testing and vulnerability assessments, mature security programmes use two advanced testing methodologies:
Red Team Exercises
A red team exercise is a full-scope, multi-vector attack simulation that tests not just the security of your systems, but the effectiveness of your entire security programme — including detection, response, and human factors.
Key differences from a standard pentest:
| Dimension | Standard Pentest | Red Team Exercise |
|---|---|---|
| Scope | Defined and narrow | Open — realistic attacker simulation |
| Duration | 1–4 weeks | 4–12 weeks |
| Notification | Blue team knows testing is happening | Blue team unaware |
| Techniques | Technical vulnerabilities | Full kill chain: phishing, physical, technical |
| Goal | Find vulnerabilities | Test detection and response capability |
| Reporting | Vulnerabilities + remediation | Full attack narrative + detection gaps |
Red team exercises are appropriate when:
- You already patch regularly and want to test your detection capability
- You need to satisfy specific regulatory requirements (DORA TLPT, TIBER-EU)
- Your CISO needs to demonstrate security posture to the board with real-world evidence
Cost: £50,000–£250,000+ for a full-scope engagement. The high cost reflects the senior expertise, extended timeline, and breadth of techniques involved.
Purple Team Exercises
A purple team exercise involves the offensive team (red) and defensive team (blue) working collaboratively — sharing techniques, testing detection rules, and immediately improving defences.
The red team executes a specific MITRE ATT&CK technique. The blue team attempts to detect it. If detection fails, they immediately work together to write and implement a new detection rule, then the red team re-executes to confirm the new detection works.
This iterative cycle dramatically accelerates detection improvement and is more efficient than waiting for a full red team engagement report to drive defensive improvements.
When to use purple team: When you want to rapidly improve your SOC detection capabilities and can commit your blue team to active participation in the exercise.
Compliance Deep-Dive: What Each Framework Actually Requires
PCI DSS v4.0 Requirements 11.3 and 11.4
PCI DSS v4.0 (effective 2024) significantly expanded penetration testing requirements:
11.3.1: Annual penetration testing of all CDE (Cardholder Data Environment) network components 11.3.2: Annual penetration testing of all segmentation controls — confirming that CDE is isolated from other networks 11.3.3: Exploitable vulnerabilities found during pentest must be corrected, with retest to confirm 11.4.2: Penetration testing methodology must include OWASP, SANS, or NIST SP 800-115 11.4.3: Service providers must perform penetration testing at least every six months
What PCI assessors look for in a pentest report:
- Explicit statement that all CDE-connected systems were tested
- Segmentation testing results (proof that CDE is isolated)
- Testing methodology referenced (OWASP, NIST, etc.)
- All High and Critical findings remediated with evidence
- Retest performed after remediation
ISO 27001:2022 Annex A.8.8
ISO 27001:2022 Annex A.8.8 (Management of Technical Vulnerabilities) requires organisations to “obtain timely information about technical vulnerabilities of information systems in use” and “evaluate the organisation’s exposure to such vulnerabilities.”
While the standard doesn’t explicitly mandate penetration testing by name, A.8.8 combined with A.8.9 (Configuration Management) and A.5.37 (Documented Operating Procedures) make periodic penetration testing an expected control in most ISO 27001 certification audits.
Certification body auditors will typically ask:
- How often do you conduct penetration testing?
- Can you show the most recent pentest report?
- How were findings tracked and remediated?
SOC 2 Trust Service Criteria
SOC 2 CC6 (Logical and Physical Access Controls) and CC7 (System Operations) are the relevant criteria for penetration testing:
CC6.6: The entity implements logical access security measures to protect against unauthorized access to system resources CC7.1: The entity uses detection and monitoring procedures to identify changes in the system CC7.3: The entity evaluates security events to determine whether they could or have resulted in a failure
SOC 2 auditors (at AICPA-member firms) increasingly expect annual penetration testing as evidence of due diligence under CC6 and CC7. The frequency and scope is at auditor discretion, but annual is the industry standard expectation.
How to Prepare for a Penetration Test
Getting the most value from a penetration test requires preparation before the tester begins:
Pre-Test Preparation Checklist
Two weeks before:
- Define and finalise scope (all in-scope URLs, IP ranges, applications, user roles)
- Create dedicated test accounts for all user roles to be tested (do not use real user accounts)
- Prepare network diagrams and architecture documentation (for grey/white box)
- Notify cloud provider (AWS, Azure, GCP) — most require notification for penetration testing
- Inform your IT and DevOps teams — reduce confusion if they see unusual traffic
One week before:
- Run a vulnerability assessment as a pre-test baseline — fix the obvious issues so tester time is spent on harder problems
- Verify test accounts have appropriate data and permissions
- Establish communication channels (Slack/Teams workspace with the testing team)
- Confirm emergency contact list and escalation procedures
Day of testing:
- Confirm testing window (start time, testing hours)
- Ensure tester has all credentials and access required
- Brief your on-call team that penetration testing is in progress
Deciding Whether to Inform Your SOC
Whether to inform your blue team (SOC) that testing is happening is a strategic decision:
Inform the SOC: Testing proceeds without interference. Useful when you want a clean pentest result — your security team doesn’t spend time chasing the tester’s activity.
Don’t inform the SOC: Tests your detection capability simultaneously. Can your SOC identify the penetration test activity? This is valuable but requires careful scoping to avoid escalating into a full incident response.
Most first-time pentest engagements inform the SOC. Once you’ve established a clean baseline, purple team or “assumed breach” exercises test detection without notification.
Frequently Asked Questions
Q: How often should we run a penetration test?
A: For most organisations, annually is the baseline minimum. PCI DSS requires at least annually, and after significant changes. SOC 2 auditors expect at least annual. Beyond compliance, the right frequency depends on your risk profile: fast-moving SaaS companies with frequent releases benefit from quarterly application testing; financial services companies often do semi-annual network and application tests. A continuous vulnerability scanning programme (our managed vulnerability management service) fills the gaps between point-in-time tests.
Q: What’s the difference between a grey box and black box pentest?
A: Black box simulates an attacker with no prior knowledge — they start from zero, as an external attacker would. Grey box provides the tester with partial information (credentials, architecture docs, API documentation) to focus effort on deeper testing rather than reconnaissance. White box provides full access including source code. For most web application and cloud assessments, grey box provides the best balance of depth and efficiency. Black box is most valuable when you want a realistic external attacker simulation.
Q: Can we share a pentest report with a customer?
A: Yes, but selectively. Share the executive summary freely — it communicates overall risk posture without operational detail. For the technical report, share it only under NDA, with your most important enterprise customers who require it for their supplier security assessments. Redact or sanitise vulnerability details that could assist an attacker if the report were leaked.
Q: Should we fix vulnerabilities before or after the pentest?
A: Fix what you know is broken before — run a vulnerability assessment first if you haven’t recently, and patch obvious high-severity issues. This ensures the tester spends time on harder, more valuable findings rather than low-hanging fruit you already know about. After the test, remediate findings by risk priority, then schedule a retest of critical findings.
Q: How do we choose a penetration testing provider?
A: Evaluate on: certifications held by testers (OSCP, CPENT, CREST CRT, CEH), sample reports from previous engagements, methodology documentation (do they reference OWASP, PTES, NIST SP 800-115?), retest policy, and client references. Price alone is not a good signal — some of the best offshore providers (India, Eastern Europe) cost significantly less than US/UK firms while delivering equivalent or better output. Ask to speak with two or three clients from your industry before signing.
Q: What do we do with the pentest report after remediation?
A: Archive it. Regulators, auditors, and enterprise customers may ask to see historical reports going back 3–5 years. Use findings to update your threat model, developer security training curriculum, and security requirements for future projects. Track remediation closure rates as a security programme KPI. Use the report in your next CISO board presentation to demonstrate proactive security investment.
Q: Is VAPT (Vulnerability Assessment and Penetration Testing) the same as a penetration test?
A: VAPT is a combined offering that includes both a vulnerability assessment and a penetration test. It’s not a separate methodology — it’s a bundle. Most commercial security testing engagements are effectively VAPT: the VA identifies the attack surface, and the pentest validates exploitability and demonstrates business impact. When vendors advertise VAPT, clarify what portion is automated scanning and what portion is manual exploitation by skilled testers.